Disallow direct root login to SSH...

On follow up of the comment at: secure ssh...

To disallow direct root login via SSH, edit the "/etc/ssh/sshd_config" file with a text editor and find the following line:

#PermitRootLogin yes

Change the yes to no and remove the comment character at the beginning of the line:

PermitRootLogin no

Restart the sshd service.

# service sshd restart

It is also recommended to restrict access to your system by limiting users root access with the su command.

Add trusted users to the special administrative group called wheel via:

# usermod -G wheel <username>

Next open the PAM configuration file for su, "/etc/pam.d/su" in a text editor and remove the comment [#] from the following line:

auth  required /lib/security/pam_wheel.so use_uid

The root user is part of the wheel group by default and doing this will permit only members of the administrative group wheel to use the program.

Additionally, you can change the permission on the 'su' binary as below:

# chgrp wheel /bin/su
# chmod 4750 /bin/su

Related Reading: Limit SSH users with PAM

Reference: Linux Security Guide.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

sshd_config AllowUsers keyword

Additionally, you can specify explicitly which user can login via SSH using the 'sshd_cofig' file instead of using PAM.

AllowUsers <user1> <user2>

WARNING: If you only have remote access, be very careful and enable telnet before you play around with sshd_config!!

Failed su login attempts caused due to deprecated pam_stack

I had set up the root login restriction as in the above post and only allow su from users in the wheel group. However after doing a yum update today I was having failed logins trying to su in as root. My secure log showed -- Deprecated pam_stack module called from service "su".

Linux-PAM 0.78 and later contains the include directive which obsoletes the pam_stack module. pam_stack module usage is logged with a deprecation warning. It seems to have been removed in pam- release in FC5.

I had to replace "/etc/pam.d/su" with "su.rpmnew" in order to be able to su in as root again.